pony | 4f64e6afca5564e70b607a42eeb029253df6b0f542bc64d558ee6bffcc8910fa | Triage

Sharing

General

Target

JaffaCakes118_98470a6e26e65e45d23396e4d176f4b9
Size

165KB
Sample

250330-f1wtvstjx5
MD5

98470a6e26e65e45d23396e4d176f4b9
SHA1

83fb0c7abb4279f7a19687f8de411926b9360796
SHA256

4f64e6afca5564e70b607a42eeb029253df6b0f542bc64d558ee6bffcc8910fa
SHA512

02d26e3477253813a3b6527c0e595e4ff207f1c247d28cbccae8a2fad2c32635830c6c3861f431e865c11c754771e1db3eb62956103b47be89878eff8313f3e1
SSDEEP

3072:5w4Ch77zmMJPJnl8XPlRm+SlWqvhYYYYYYYYH0R9dT9kbJappppppcy8Wjb45E:qp8/jDSrPryLb45E

Score

10^/10

pony collection credential_access discovery persistence rat spyware stealer upx

Malware Config

Extracted

Family

pony

C2

http://skywalke.tk/pony/gate.php

Targets

- Target
  
  JaffaCakes118_98470a6e26e65e45d23396e4d176f4b9
- Size
  
  165KB
- MD5
  
  98470a6e26e65e45d23396e4d176f4b9
- SHA1
  
  83fb0c7abb4279f7a19687f8de411926b9360796
- SHA256
  
  4f64e6afca5564e70b607a42eeb029253df6b0f542bc64d558ee6bffcc8910fa
- SHA512
  
  02d26e3477253813a3b6527c0e595e4ff207f1c247d28cbccae8a2fad2c32635830c6c3861f431e865c11c754771e1db3eb62956103b47be89878eff8313f3e1
- SSDEEP
  
  3072:5w4Ch77zmMJPJnl8XPlRm+SlWqvhYYYYYYYYH0R9dT9kbJappppppcy8Wjb45E:qp8/jDSrPryLb45E
Score

10^/10

discovery pony collection credential_access persistence rat spyware stealer upx
- Pony family
  pony
- Pony,Fareit
  Pony is a Remote Access Trojan application that steals information.
  rat spyware stealer pony
- Executes dropped EXE
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook accounts
  collection
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

ponycollectioncredential_accessdiscoverypersistenceratspywarestealerupx